HIPAA/HITECH,
Standards, Regulations & Compliance
HHS Proposes New Encryption and Cybersecurity Standards for Healthcare Organizations
The U.S. Department of Health and Human Services (HHS) is intensifying its digital security measures in response to a surge of cyberattacks that have compromised sensitive patient information throughout the year. Notable breaches at prominent healthcare entities, including Ascension and UnitedHealth, have prompted this urgent shift in cybersecurity strategy.
In an upcoming notice of proposed rulemaking, HHS plans to mandate that healthcare organizations implement data encryption, conduct regular compliance audits, and revise specific cybersecurity standards under the Health Insurance Portability and Accountability Act (HIPAA). This regulatory update aims to fortify existing cybersecurity measures that have remained unchanged for over a decade, reflecting the increasing urgency to safeguard patient data in a landscape fraught with cyber threats.
Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies, emphasized the gravity of the situation during a recent press briefing, stating, “One of the most troubling issues we face is the hacking of hospitals and healthcare data.” The planned updates are attributed to persistent compliance failures across the sector, which have led to alarming breaches, such as the Change Healthcare incident, projected to result in costs near $2.9 billion for UnitedHealth Group.
According to Neuberger, the consequences of inaction are severe, presenting significant risks to critical infrastructure and patient safety. The White House estimates that the first year of implementing the updated security rule may incur costs of approximately $9 billion, followed by an additional $6 billion over the subsequent four years.
The HHS Health Sector Cybersecurity Coordination Center has been proactive in urging healthcare organizations to bolster their defenses amidst a rising tide of cyber threats. Recent advisories have underscored the increasing sophistication and frequency of attacks, particularly those utilizing “living-off-the-land” techniques that exploit existing system vulnerabilities, further compromising sector resilience.
In 2024, many Americans received breach notification letters from organizations like Change Healthcare, highlighting the ongoing vulnerabilities across the healthcare landscape. On June 20, the company issued a substitute HIPAA breach notice via its website for affected individuals.
HHS has not yet provided an official response to requests for further comment regarding these proposed cybersecurity measures.
